Hi all,A while ago I came across the fact that popen was disabled in the Lua hooks in monotone for security reasons. Here is a patch that replaces it with a security conscious version (like spawn() replaces execute()). The 'security consciousness' is simply accepting the command as an array of arguments rather than a single string to be parsed by the shell.
Returning a FILE* from C functions in Lua is tricky (there is a Lua FAQ on just this). This wasn't working for a while, then it was, and I don't understand what changed. If someone wants to look at that, I wouldn't mind. It would be good if people could test it on a bunch of different systems too...
I've only implemented this on Unix. I have no windows knowledge or ability to test.
I'm assuming that attaching a patch to an email to the list is the correct way to submit this. Let me know if there is something else I should do.
spawn_pipe.patch
Description: Binary data
BTW, I'm using this on MacOS X to store my password securely in the system keychain. In particular, I have this in my monotonerc:
function get_passphrase(keypair_id)
procfin, procfout, pid = spawn_pipe("getPassword", "monotoneKey")
procfin:close()
pass, errstr = procfout:read()
procfout:close()
if (pid ~= -1) then ret, pid = wait(pid) end
return pass
end
Where getPassword is the following shell script:
/usr/bin/security find-generic-password -ga $1 2>&1 > /dev/null | /sw/
bin/sed -r -e 's/password: \"(.*)\"/\1/'
You set the password by launching "Keychain Access" from the Utilities folder and click on the little + at the bottom of the window. The Account Name is "monotoneKey", and the password is the password. :)
Cheers, Will :-}
_______________________________________________ Monotone-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/monotone-devel
